Tal Klein of Adallom joined us on the January 16 Virtualization Security Podcast to discuss Adallom’s approach to logging, auditing, and generally gaining visibility within most SaaS applications. Adallom solves two longstanding problems: how can we as tenants obtain appropriate tenant-only logs of actions within a SaaS application, and how do we determine abnormal behavior within a SaaS application? Before Adallom, we had to ask the SaaS provider for log information, and this process would take quite a while, or, if it was readily available, it was not in real-time.

Visibility Starts with Logging

Logging is the bane of any cloud, as per-tenant logs are not natively available in the underlying infrastructure. They have to be built into the SaaS application, and many of those applications log for debugging purposes, not for tenant visibility, so you end up with a log that has within it data from multiple tenants. Because the logs are generally jumbles of multiple tenants’ and the hosting provider’s information, extracting a specific tenant’s data is cumbersome and fraught with the risk of legal liability for any unintentional exposure of another tenant’s data or even the provider’s internal data. Given this, there has been a need for each tenant to gain log-level visibility into SaaS, PaaS, and IaaS environments in which they normally do not gain such visibility.

Adallom works by hooking into the sign-on phase and, from then on, capturing all queries to and from a SaaS provider. It can work with IaaS cloud portals such as Amazon as well. In fact, because of its unique position, it is possible for it to detect per-tenant communication between different parts of the SaaS application, and it can determine if such communication is properly secured. This level of inspection goes far deeper than most gateway-based approaches.

It is all about visibility, which starts with logging of actions, but then we have to do something with those logs.

Visibility Is Enhanced by Analytics

We keep coming back to analytics. Most security tools now include or are built upon analytics packages to gain more insight into what is happening. Sometimes, an attack could be a grab of data spread out over many calls, but if the administrator is normally allowed to do these actions, how can you even tell that an attack is happening? Into this breach steps analytics. Adallom has its own set of behavioral analysis analytics, but it also allows the raw log data to be sent to your SIEM or analytics package of choice. The combination of tools could give you far better insight into the SaaS application, or even IaaS cloud portal, than you might expect. The data currently used by Adallom for security could also be sent to another tool for performance analytics, visibility into regulatory compliance, and any number of other creative uses.

Closing Thoughts

Tal brings us into the world that Adallom has exposed, a world we knew existed but could only touch the surface of using gateway products. Now we have a tool that works regardless of device, location, or cloud provider. One that provides visibility, behavioral analysis, and the ability to send data elsewhere for further analysis, retention, and protection. In fact, this data could be used to begin a cloud forensics case.

We no longer have to depend on the cloud provider for the logs, as we now have the ability to set up per-tenant logging of just our own tenancy’s actions. Even the clouds that do the best job of providing logs today, such as Salesforce, are setting up to use Adallom. The burden of log extraction has finally moved to the tenant. This not only removes the legal burden, but puts investigations of per-tenant breaches into hands that have a vested interest in ensuring such breaches do not happen.